Container Intelligence Service (the AIOps suite) assumes the default Container Service for Kubernetes (ACK) role AliyunCSDefaultRole to manage clusters that are created before October 30, 2023. To enhance permission control, Container Intelligence Service will assume a new Resource Access Management (RAM) role starting from October 30, 2023. Container Intelligence Service assumes this role to access resources, including all ACK clusters that belong to your Alibaba Cloud account.
Impacts
By default, AliyunCISDefaultRole is used for Container Service for Kubernetes that is activated and ACK clusters that are created on October 30, 2023 and later.
If you use Container Intelligence Service to perform cluster inspections or diagnostics in a cluster that is created before October 30, 2023, the system prompts you to assign the AliyunCISDefaultRole role to ACK.
Starting from October 30, 2023, when you create a cluster, the system prompts you to assign the AliyunCISDefaultRole role to ACK.
Assign the AliyunCISDefaultRole role to ACK
The default RAM role assumed by Container Intelligence Service is changed from AliyunCSDefaultRole to AliyunCISDefaultRole because the permissions provided by AliyunCSDefaultRole are reduced. After the change is applied, the system prompts you to assign the AliyunCISDefaultRole role to ACK when you create clusters in the ACK console or perform operations in the Container Intelligence Service console.
Use an Alibaba Cloud account or a RAM user that is attached with the AliyunRAMFullAccess or AdministratorAccess policy to log on to the ACK console. Then, click Go to RAM console and complete authorization on the page that appears.
NoteIf you call API operations to create clusters or use Container Intelligence Service, click Authorization to complete authorization.
In the lower part of the page that appears, click Agree to Authorization.
Log on to the Container Intelligence Service console again. You can then perform cluster diagnostics and inspections.